A Review of the Best News of the Week on Cyber Threats & Defense

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software (Krebs on Security, Mar 05 2021)
“At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity.”

A Basic Timeline of the Exchange Mass-Hack (Krebs on Security, Mar 08 2021)
“Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program.”

Four Microsoft Exchange Zero-Days Exploited by China (Schneier on Security, Mar 04 2021)
Microsoft has issued an emergency Microsoft Exchange patch to fix four zero-day vulnerabilities currently being exploited by China.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Suspected Chinese APT Group Targets Power Plants in India (SecurityWeek, Mar 01 2021)
Security researchers at Recorded Future have spotted a suspected Chinese APT actor targeting a wide range of critical infrastructure targets in India, including power plants, electricity distribution centers and Indian seaports.

Mysterious Macintosh Malware (Schneier on Security, Mar 02 2021)
“This is weird:

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.”

The Accellion Breach Keeps Getting Worse—and More Expensive (Wired, Mar 08 2021)
What started as a few vulnerabilities in firewall equipment has snowballed into a global extortion spree.

Attacker Expands Use of Malicious SEO Techniques to Distribute Malware (Dark Reading, Mar 02 2021)
The operators of REvil and Gootkit have begun using a tried and tested technique to distribute additional malware, Sophos says.

Multi-payload Gootloader platform stealthily delivers malware and ransomware (Help Net Security, Mar 02 2021)
The delivery method for the six-year-old Gootkit financial malware has been developed into a complex and stealthy delivery system for a wide range of malware, including ransomware. Sophos researchers have named the platform Gootloader. It is actively delivering malicious payloads through tightly targeted operations in the US, Germany and South Korea. Previous campaigns also targeted internet users in France.

Ryuk Ransomware With Worm-Like Capabilities Spotted in the Wild (SecurityWeek, Mar 01 2021)
In early 2021, security researchers identified a variant of the infamous Ryuk ransomware that is capable of lateral movement within the infected networks.

ObliqueRAT’ Now Hides Behind Images on Compromised Websites (Dark Reading, Mar 02 2021)
Transparent Tribe’ has switched its tactics for distributing the remote access Trojan, researchers found.

Now-fixed Linux kernel vulnerabilities enabled local privilege escalation (CVE-2021-26708) (Help Net Security, Mar 03 2021)
Security researcher Alexander Popov has discovered and fixed five similar issues in the virtual socket implementation of the Linux kernel. The vulnerabilities could be exploited for local privilege escalation, as confirmed in experiments on Fedora 33 Server.

Proliferation of sneakerbots across industries: The long tail of DIY bot operators (Help Net Security, Mar 03 2021)
Many people’s first exposure to bots came from so-called sneakerbots. Sneakerbots are used to scan websites for inventory and automatically complete the checkout process. Combined with proxy services that provide IP addresses and user agents to make them appear as legitimate customers, they can be an effective means to score Yeezy, Air Jordans and other highly desired, limited edition footwear.

Secure Laptops & the Enterprise of the Future (Dark Reading, Mar 04 2021)
The enterprise of the future will depend upon organizations’ ability to extend the company firewall to everywhere people are working.

Digital-first lifestyle opens consumers to potential risks during tax season (Help Net Security, Mar 07 2021)
Consumers have faced a lot of change over the past year with the shift to a digital-first lifestyle, and tax season with increasing risks is no exception. McAfee’s 2021 Consumer Security Mindset study revealed that while roughly 2 out of 3 Americans (63%) plan to do their taxes online in 2021, 12% of Americans will be doing them online for the first time.

FINRA Warns of Ongoing Phishing Attacks Targeting Brokerage Firms (SecurityWeek, Mar 08 2021)
The Financial Industry Regulatory Authority (FINRA) has issued an alert to warn brokerage firms of a phishing campaign that is currently ongoing.

Securing APIs: Application Architecture Disrupted (Securosis Blog, Mar 05 2021)
“When you think of disruption, the typical image is a tornado coming through and ripping things up, leaving towns leveled and nothing the same moving forward. But disruption can be slow and steady, incremental in the way everything you thought you knew has changed. Securing cloud environments was like that, initially trying to use existing security concepts and controls, which worked well enough.”

No, RSA Is Not Broken (Schneier on Security, Mar 05 2021)
“I have been seeing this paper by cryptographer Peter Schnorr making the rounds: “Fast Factoring Integers by SVP Algorithms.” It describes a new factoring method, and its abstract ends with the provocative sentence: “This destroys the RSA cryptosystem.”

It does not. At best, it’s an improvement in factoring — and I’m not sure it’s even that. The paper is a preprint: it hasn’t been peer reviewed. Be careful taking its claims at face value.”